Got a Mac? macOS Newest Update Lets Anyone Gain Root Access Without a Password

12
Found 29th Nov 2017
Yikes, pretty big security flaw. Make sure you keep your Mac locked when not using it in whilst apple sort a fix.

2844539-DVqpv.jpg
(via thehackernews)

If you own a Mac computer and run the latest version of Apple's operating system, macOS High Sierra, then you need to be extra careful with your computer.

A serious, yet stupid vulnerability has been discovered in macOS High Sierra that allows untrusted users to quickly gain unfettered administrative (or root) control on your Mac without any password or security check, potentially leaving your data at risk.


Discovered by developer Lemi Orhan Ergin on Tuesday, the vulnerability only requires anyone with physical access to the target macOS machine to enter "root" into the username field, leave the password blank, and hit the Enter a few times—and Voila!
In simple words, the flaw allows an unauthorized user that gets physical access on a target computer to immediately gain the highest level of access to the computer, known as "root," without actually typing any password.

Needless to say, this blindingly easy Mac exploit really scary stuff.

This vulnerability is similar to one Apple patched last month, which affected encrypted volumes using APFS wherein the password hint section was showing the actual password of the user in the plain text.

Here's How to Temporarily Fix the macOS High Sierra Bug

Fortunately, the developer suggested a temporary fix for this issue which is as easy as its exploit.

To fix the vulnerability, you need to enable the root user with a password. Heres how to do that:

  • Open System Preferences and Select Users & Groups
  • Click on the lock icon and Enter your administrator name and password there
  • Click on "Login Options" and select "Join" at the bottom of the screen
  • Select "Open Directory Utility"
  • Click on the lock icon to make changes and type your username and password there
  • Click "Edit" at the top of the menu bar
  • Select "Enable Root User" and set a password for the root user account

This password will prevent the account from being accessed with a blank password.

Just to be on the safer side, you can also disable Guest accounts on your Mac. for this, head on to System Preferences → Users & Groups, select Guest User after entering your admin password, and disable "Allow guests to log in to this computer."
Community Updates
Misc
12 Comments
32602989-N7KOm.jpg
So the reason someone can get root, is they haven't set a root password? Well, colour me thoroughly surprised.
MSK.2 m ago

So the reason someone can get root, is they haven't set a root password? …So the reason someone can get root, is they haven't set a root password? Well, colour me thoroughly surprised.


Oh yeah Never thought of it like that
Only 16 hours too late - was all over the news this morning
rogparki6 m ago

Only 16 hours too late - was all over the news this morning



Might help those that didn't see this in the news this morning?
Edited by: "tregs" 29th Nov 2017
Yeah, I have one so thanks for posting. Will this problem be on a mac book air laptop???
summerof7610 m ago

Yeah, I have one so thanks for posting. Will this problem be on a mac book …Yeah, I have one so thanks for posting. Will this problem be on a mac book air laptop???



dpends on the os not model macOS High Sierra is the one with this problem
Edited by: "Infractionboi" 29th Nov 2017
MSK.1 h, 36 m ago

So the reason someone can get root, is they haven't set a root password? …So the reason someone can get root, is they haven't set a root password? Well, colour me thoroughly surprised.


If the fix involves enabling root user then it's pretty surprising to me.
mattmerch4 m ago

dpends on the os not model macOS High Sierra is the one with this problem


Thanks
Fixed now, Apple released an update. Pretty quick to be fair, although it was a major cock up by them.
I was always told to put my root down / kick it root down.
Faz101 h, 34 m ago

I have not ywt updated to Sierra yet so am i still venerable to this hack ?


This only affected High Sierra and there's a fix now.
Post a comment
Avatar
@
    Text

    Top Discussions

    Top Discussions

    Top Merchants